[captn3m0]

I gave the following prompt:

// get password from the database using a mysql query function fetch_password(string $username) {

And 7/10 parameters are vulnerable to SQL-injection. Here's the first:

        global $mysqli;
        $query = "SELECT password FROM users WHERE username = '$username'";
        if ($result = $mysqli->query($query)) {
            $row = $result->fetch_assoc();
            return $row['password'];
        }
        return false;

Here's all of them: https://paste.ubuntu.com/p/9qQ2BSnqbF/

[cbg0]

When I started with PHP over a decade ago I was using PDO and not MySQLi.

I think there's a lot of old code that perhaps should not be used by Copilot as a reference, given how some programming languages have changed quite a bit over time when it comes to the best way of doing certain things.

[flomo]

Yeah, that was always one of the big problems with PHP. Google search would produce these old tutorials full of SQL injection code. I think there was a community effort to clean these up, so (un)fortunately we have AI to bring them back.